kingfisher

eblume/kingfisher

Fork 0

forked from mirrors/kingfisher

Commit graph

162aeb5a67 deploy: merge feature/upstream/clone-url-base deploy Forgejo Actions 2026-05-31 22:00:17 -07:00
5d0b2d8355 feat(gitea): add --clone-url-base flag for clone URL rewriting feature/upstream/clone-url-base Erich Blume 2026-03-29 00:16:28 -07:00
83c16b7c5e fix: disambiguate main branch checkout in mirror-sync blumeops Erich Blume 2026-03-29 00:27:50 -07:00
76fd35d996 spork: add mirror-sync workflow Erich Blume 2026-03-28 23:01:33 -07:00
c627cc55db

Merge pull request #395 from mongodb/development main Mick Grove 2026-05-29 00:02:14 -07:00
cf6c4cae0d fixed failing windows test Mick Grove 2026-05-28 23:59:19 -07:00
e1c61f8f33 updated docs Mick Grove 2026-05-28 21:10:18 -07:00
31af4b4f6f updated docs Mick Grove 2026-05-28 21:01:44 -07:00
dae93afcdd updated docs Mick Grove 2026-05-28 20:21:07 -07:00
93b48e86df fixing bugs Mick Grove 2026-05-28 20:09:08 -07:00
7fc01e5aca fixing bugs Mick Grove 2026-05-28 18:39:45 -07:00
7d4719c7c5 add docker --archive support Mick Grove 2026-05-28 15:50:15 -07:00
816a75e3e4 add docker --archive support Mick Grove 2026-05-28 13:54:59 -07:00
0552d67df7 Authored Devin / Cognition rule Mick Grove 2026-05-27 17:55:32 -07:00
6f560103cc

Merge pull request #388 from mongodb/development Mick Grove 2026-05-22 15:37:38 -07:00
a0d2fa3611 merged 2 PRs and updated changelog Mick Grove 2026-05-22 13:15:59 -07:00
bb7fea155e merged 2 PRs and updated changelog Mick Grove 2026-05-22 14:17:59 -04:00
207174e1a8 merged 2 PRs and updated changelog Mick Grove 2026-05-22 12:37:37 -04:00
b1fb90b4c9

Merge pull request #387 from AgentEnder/codex/contain-validator-panics Mick Grove 2026-05-22 12:34:17 -04:00
5d8bc3e88c

Merge pull request #386 from AgentEnder/codex/fix-jwt-provider-panic Mick Grove 2026-05-22 12:05:30 -04:00
138eefe2b9 Fixed failed to spawn thread: Os { code: 11, kind: WouldBlock } panics during validation-heavy scans. Kingfisher built two Tokio runtimes (main + artifact-fetcher) that each defaulted to 512 blocking threads, which combined with Rayon pools and per-call spawns could exceed the OS per-user thread limit (RLIMIT_NPROC, default 8000 on macOS). Both runtimes now cap their blocking pools at max(num_jobs * 8, 32), and on Unix the soft RLIMIT_NPROC is raised to the hard limit at startup so users don't need to tune ulimit -u manually. Mick Grove 2026-05-22 11:50:47 -04:00
fd13f268f0 fix(validation): redact panic payloads and clarify panic handling Craigory Coppola 2026-05-21 23:02:57 -04:00
d2e4e2f737 fix(validation): contain validator panics Craigory Coppola 2026-05-21 21:44:38 -04:00
ebd8acfc1b test(jwt): generate ephemeral RSA keypair in RS256 regression test Craigory Coppola 2026-05-21 21:56:01 -04:00
f71b9d826d fix(jwt): unify jsonwebtoken crypto backend Craigory Coppola 2026-05-21 21:15:41 -04:00
e332d4eebb

Merge pull request #382 from mongodb/development Mick Grove 2026-05-19 04:16:57 -07:00
c67dcc049d preparing for v1.100.0 Mick Grove 2026-05-18 23:39:05 -04:00
1830a140d8 preparing for v1.100.0 Mick Grove 2026-05-18 22:28:19 -04:00
a8e01c4a6e preparing for v1.100.0 Mick Grove 2026-05-18 18:33:42 -07:00
a148a153ac preparing for v1.100.0 Mick Grove 2026-05-18 18:12:27 -07:00
d125d68e88 preparing for v1.100.0 Mick Grove 2026-05-18 16:11:15 -07:00
f1c6f50d9a preparing for v1.100.0 Mick Grove 2026-05-18 15:51:16 -07:00
b58eed2696 preparing for v1.100.0 Mick Grove 2026-05-18 15:19:11 -07:00
91d9f431c5 preparing for v1.100.0 Mick Grove 2026-05-18 14:27:01 -07:00
514832b533 preparing for v1.100.0 Mick Grove 2026-05-18 14:13:30 -07:00
0dedcef95f preparing for v1.100.0 Mick Grove 2026-05-18 13:25:13 -07:00
54d9fc7ecd preparing for v1.100.0 Mick Grove 2026-05-18 13:03:16 -07:00
1636b07810 preparing for v1.100.0 Mick Grove 2026-05-18 09:42:04 -07:00
31663b03b5 Release binary trimmed from 34 MB to 26 MB (~24% smaller). Switched jsonwebtoken to its rust_crypto backend (eliminates our scanner's pull on aws-lc-rs), bumped workspace hmac 0.12→0.13, sha1 0.10→0.11, sha2 0.10→0.11 to deduplicate our internal crypto code with the AWS sigv4 side, and migrated affected call sites in kingfisher-core, kingfisher-rules, and kingfisher-scanner to the digest-0.11 API (hex::encode for hex digests, explicit KeyInit import for HMAC). Mick Grove 2026-05-07 13:46:17 -07:00
34b5c48888 - Archive scanning now reaches inside Android/iOS app packages: added apk, aab, and ipa to the recognized ZIP-based archive formats so secrets embedded in APK/AAB/IPA contents (e.g. classes*.dex, res/values/strings.xml) are extracted and matched. -- - Git repository scans now extract archive blobs encountered in the object database, not just on the filesystem. Previously a .zip/.jar/.apk/.tar.gz committed to a repo was scanned as raw compressed bytes, so secrets inside it were invisible. The git enumerator fans each archive entry out as a synthetic blob with the original commit metadata. Honors --no-extract-archives for opt-out. - Performance: ZIP-based git blobs ≤ 64 MB extract entirely in memory (no temp-file round trip), beating the v1.99.0 baseline by ~15% on a 80 GiB monorepo despite scanning ~300K additional archive-content blobs. Larger archives auto-fall-back to a disk-streaming extractor. - Memory safety: hard caps on archive extraction — 64 MB compressed pre-flight, 256 MB aggregate decompressed per archive (in-memory and disk paths), 512 MB per entry, plus a PK\x03\x04 magic-byte gate. Worst-case footprint is bounded at ~num_jobs * 320 MB. Mick Grove 2026-05-06 17:50:35 -07:00
07644722fd

Merge pull request #376 from mongodb/development Mick Grove 2026-05-05 09:27:54 -07:00
c60af90a89 preparing for v1.99.0 Mick Grove 2026-05-05 09:25:19 -07:00
237491f994

Merge pull request #375 from mongodb/development Mick Grove 2026-05-05 09:15:26 -07:00
08457b8b69 preparing for v1.99.0 Mick Grove 2026-05-05 09:00:33 -07:00
81f48ba0a4

Merge pull request #374 from mongodb/development Mick Grove 2026-05-05 08:20:02 -07:00
12c141bfac preparing for v1.99.0 Mick Grove 2026-05-05 07:08:40 -07:00
aca11be36d preparing for v1.99.0 Mick Grove 2026-05-04 23:47:48 -07:00
d88e19e0e1 preparing for v1.99.0 Mick Grove 2026-05-04 23:11:48 -07:00
394d05dd4d preparing for v1.99.0 Mick Grove 2026-05-04 23:10:16 -07:00
c26af22d77

Merge pull request #372 from mongodb/development Mick Grove 2026-05-04 21:55:55 -07:00
910d6d9dd3 preparing for v1.99.0 Mick Grove 2026-05-04 19:24:46 -07:00
bacdca6a52 preparing for v1.99.0 Mick Grove 2026-05-04 19:00:45 -07:00
b28f15252c preparing for v1.99.0 Mick Grove 2026-05-04 18:03:29 -07:00
e30a7539b2 preparing for v1.99.0 Mick Grove 2026-05-04 17:22:21 -07:00
a9cdaea6cd preparing for v1.99.0 Mick Grove 2026-05-04 14:48:41 -07:00
f6e05f0211 preparing for v1.99.0 Mick Grove 2026-05-04 13:26:11 -07:00
0e1fe0cede webhook support and kingfisher configuration yaml support Mick Grove 2026-05-03 23:10:45 -07:00
a4cf3990a5 webhook support and kingfisher configuration yaml support Mick Grove 2026-05-03 22:11:26 -07:00
44d67cea1b added SLSA provenance Mick Grove 2026-05-02 00:14:31 -07:00
b2287c99ee --self-update (alias --update) on a scan or other command now **re-execs into the freshly installed binary** so the current invocation completes with the new code and the latest detection rules. Previously the on-disk binary was replaced but the running process kept using the old in-memory version, requiring a second invocation to pick up the changes. On Unix this is a true exec() (same PID); on Windows the new binary is spawned and the parent exits with its status code. The explicit kingfisher self-update subcommand still updates and exits without re-execing. Self-update now also covers Windows arm64 (the asset was already published; the runtime cfg map gained the missing arm). See docs/ADVANCED.md → *Update Checks*. Mick Grove 2026-05-01 20:14:27 -07:00
1619737e2c improved access map viewer Mick Grove 2026-04-30 18:11:10 -07:00
20e08105cf improved github organization scanning Mick Grove 2026-04-30 16:40:43 -07:00
b2811107a8

Merge pull request #370 from mongodb/development Mick Grove 2026-04-30 12:34:21 -07:00
632bb0113d copilot fixes Mick Grove 2026-04-30 12:07:15 -07:00
87f6bd818f copilot fixes Mick Grove 2026-04-30 11:40:22 -07:00
b89c952043 copilot fixes Mick Grove 2026-04-30 11:28:45 -07:00
cceab35ec1 copilot fixes Mick Grove 2026-04-30 10:56:35 -07:00
1d1680c207

Merge pull request #369 from mongodb/development Mick Grove 2026-04-30 09:46:17 -07:00
90737f098c copilot fixes Mick Grove 2026-04-30 09:29:23 -07:00
b7b6dfdeb2 copilot fixes Mick Grove 2026-04-30 09:02:49 -07:00
06f72ec9f0 copilot fixes Mick Grove 2026-04-30 08:38:14 -07:00
2c08659563 copilot fixes Mick Grove 2026-04-30 00:32:49 -07:00
2589e1a5a0

Merge pull request #368 from mongodb/development Mick Grove 2026-04-29 23:58:46 -07:00
c94bd89195 copilot fixes Mick Grove 2026-04-29 23:42:33 -07:00
327342a1bb copilot fixes Mick Grove 2026-04-29 23:16:21 -07:00
30b9eba427 copilot fixes Mick Grove 2026-04-29 22:50:31 -07:00
0dc8157a6e

Merge pull request #367 from mongodb/development Mick Grove 2026-04-29 15:05:01 -07:00
ab93d4d242 Revert msys2/setup-msys2 to v2.31.0 Mick Grove 2026-04-29 12:57:56 -07:00
1337588c7b Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports. Mick Grove 2026-04-29 11:46:17 -07:00
c387ac08d2 Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports. Mick Grove 2026-04-29 11:09:47 -07:00
8d9f5bed40 Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports. Mick Grove 2026-04-29 08:58:11 -07:00
997480ffc7 Added first-class **Postman** scanning target: new kingfisher scan postman subcommand (and equivalent --postman-* flags) fetches workspaces, collections, and environments via the Postman API and scans them for hard-coded credentials in request auth blocks, pre-request/test scripts, saved example responses, and — notably — secret-typed environment variables, which the API returns in plaintext despite the UI mask. Selectors: --workspace, --collection, --environment, --all, with optional --include-mocks-monitors and --api-url for self-hosted endpoints. Authenticates via KF_POSTMAN_TOKEN (or POSTMAN_API_KEY) sent as X-Api-Key; honors X-RateLimit-RetryAfter on 429s. Findings link back to https://go.postman.co/... URLs in reports. Mick Grove 2026-04-29 08:12:08 -07:00
e1d15a1cc7

Merge pull request #365 from mongodb/development Mick Grove 2026-04-28 21:06:01 -07:00
0b89e4b02f added blog posts Mick Grove 2026-04-28 19:21:44 -07:00
bf6c7da4a4 added blog posts Mick Grove 2026-04-28 15:28:48 -07:00
cafa97f8d1 Updated rule Mick Grove 2026-04-27 14:26:07 -07:00
19dafa42ea Added provider endpoint overrides for validation and revocation via global --endpoint PROVIDER=URL and --endpoint-config FILE, with built-in support for self-hosted GitHub, GitLab, Gitea, Jira, Confluence, and Artifactory instances. Mick Grove 2026-04-27 13:20:16 -07:00
5465d903cf added kingfisher.github.9 to detect the new ~520-character stateless GitHub App installation token format (ghs_<APP_ID>_<JWT>). The legacy 36-character ghs_ rule Mick Grove 2026-04-26 16:56:44 -07:00
9ddec4ab8b

Merge pull request #358 from mongodb/development Mick Grove 2026-04-24 17:10:15 -07:00
2320a7ff72 performance improvements and rule improvements Mick Grove 2026-04-24 13:51:23 -07:00
c73a44fbf9 performance improvements and rule improvements Mick Grove 2026-04-24 12:02:27 -07:00
ed8969bc3a

Merge pull request #357 from mongodb/development Mick Grove 2026-04-24 07:50:28 -07:00
ceff3ab1c5 performance improvements and rule improvements Mick Grove 2026-04-24 00:23:50 -07:00
a4e8117c8e performance improvements and rule improvements Mick Grove 2026-04-24 00:14:56 -07:00
cb4951c62c performance improvements and rule improvements Mick Grove 2026-04-23 17:25:07 -07:00
6cb404bdcd cargo update Mick Grove 2026-04-23 17:13:18 -07:00
69fb4352f7 cargo update Mick Grove 2026-04-23 16:57:51 -07:00
eb339505f6 performance improvements and rule improvements Mick Grove 2026-04-23 16:54:21 -07:00
ea19a827a0 performance improvements and rule improvements Mick Grove 2026-04-23 14:45:35 -07:00
d8e0a41fe8 performance improvements and rule improvements Mick Grove 2026-04-23 14:42:10 -07:00